华为VPN技术

LKAI.2024-11-20 23:08

1. 启动设备

2. 配置IP地址

FW1int g1/0/0

FW1-GigabitEthernet1/0/0ip add 192.168.1.254 24

FW1-GigabitEthernet1/0/0int g1/0/1

FW1-GigabitEthernet1/0/1ip add 100.1.1.1 24

FW1-GigabitEthernet1/0/1service-manage ping permit

FW2int g1/0/0

FW2-GigabitEthernet1/0/0ip add 192.168.2.254 24

FW2-GigabitEthernet1/0/0int g1/0/1

FW2-GigabitEthernet1/0/1ip add 200.1.1.2 24

FW2-GigabitEthernet1/0/1service-manage ping permit

AR1int g0/0/0

AR1-GigabitEthernet0/0/0ip add 100.1.1.2 24

AR1-GigabitEthernet0/0/0int g0/0/1

AR1-GigabitEthernet0/0/1ip add 200.1.1.1 24

3. 配置Tunnel接口

FW1int Tunnel 0

FW1-Tunnel0ip add 172.16.1.1 24

FW1-Tunnel0tunnel-protocol gre

FW1-Tunnel0source 100.1.1.1

FW1-Tunnel0destination 200.1.1.2

FW2int Tunnel 0

FW2-Tunnel0ip add 172.16.1.2 24

FW2-Tunnel0tunnel-protocol gre

FW2-Tunnel0source 200.1.1.2

FW2-Tunnel0destination 100.1.1.1

4. 将防火墙接口加入指定区域

FW1firewall zone trust

FW1-zone-trustadd int g1/0/0

FW1-zone-trustq

FW1firewall zone untrust

FW1-zone-untrustadd int g1/0/1

FW1-zone-untrustadd int Tunnel 0

FW2firewall zone trust

FW2-zone-trustadd int g1/0/0

FW2-zone-trustq

FW2firewall zone untrust

FW2-zone-untrustadd int g1/0/1

FW2-zone-untrustadd int Tunnel 0

5. 配置OSPF

FW1ospf 1

FW1-ospf-1area 0

FW1-ospf-1-area-0.0.0.0network 100.1.1.0 0.0.0.255

AR1ospf 1

AR1-ospf-1area 0

AR1-ospf-1-area-0.0.0.0network 100.1.1.0 0.0.0.255

AR1-ospf-1-area-0.0.0.0network 200.1.1.0 0.0.0.255

FW2ospf 1

FW2-ospf-1area 0

FW2-ospf-1-area-0.0.0.0network 200.1.1.0 0.0.0.255

6. 配置路由条目

FW1ip route-static 192.168.2.0 24 Tunnel 0

FW2ip route-static 192.168.1.0 24 Tunnel 0

7. 配置防火墙策略

FW1security-policy

FW1-policy-securityrule name local-untrust

FW1-policy-security-rule-local-untrustsource-zone local

FW1-policy-security-rule-local-untrustdestination-zone untrust

FW1-policy-security-rule-local-untrustsource-address 100.1.1.0 0.0.0.255

FW1-policy-security-rule-local-untrustdestination-address 200.1.1.0 0.0.0.255

FW1-policy-security-rule-local-untrustaction permit

FW1-policy-security-rule-local-untrustq

FW1-policy-securityrule name untrust-local

FW1-policy-security-rule-untrust-localsource-zone untrust

FW1-policy-security-rule-untrust-localdestination-zone local

FW1-policy-security-rule-untrust-localsource-address 200.1.1.0 0.0.0.255

FW1-policy-security-rule-untrust-localdestination-address 100.1.1.0 0.0.0.255

FW1-policy-security-rule-untrust-localaction permit

FW1-policy-security-rule-untrust-localq

FW1-policy-securityrule name trust-untrust

FW1-policy-security-rule-trust-untrustsource-zone trust

FW1-policy-security-rule-trust-untrustdestination-zone untrust

FW1-policy-security-rule-trust-untrustsource-address 192.168.1.0 0.0.0.255

FW1-policy-security-rule-trust-untrustaction permit

FW1-policy-security-rule-trust-untrustq

FW1-policy-securityrule name untrust-trust

FW1-policy-security-rule-untrust-trustsource-zone untrust

FW1-policy-security-rule-untrust-trustdestination-zone trust

FW1-policy-security-rule-untrust-trustaction permit

FW2security-policy

FW2-policy-securityrule name untrust-local

FW2-policy-security-rule-untrust-localsource-zone untrust

FW2-policy-security-rule-untrust-localdestination-zone local

FW2-policy-security-rule-untrust-localaction permit

FW2-policy-security-rule-untrust-localq

FW2-policy-securityrule name local-untrust

FW2-policy-security-rule-local-untrustsource-zone local

FW2-policy-security-rule-local-untrustdestination-zone untrust

FW2-policy-security-rule-local-untrustaction permit

FW2-policy-security-rule-local-untrustq

FW2-policy-securityrule name trust-untrust

FW2-policy-security-rule-trust-untrustsource-zone trust

FW2-policy-security-rule-trust-untrustdestination-zone untrust

FW2-policy-security-rule-trust-untrustsource-address 192.168.2.0 0.0.0.255

FW2-policy-security-rule-trust-untrustaction permit

FW2-policy-security-rule-trust-untrustq

FW2-policy-securityrule name untrust-trust

FW2-policy-security-rule-untrust-trustsource-zone untrust

FW2-policy-security-rule-untrust-trustdestination-zone trust

FW2-policy-security-rule-untrust-trustsource-address 192.168.1.0 0.0.0.255

FW2-policy-security-rule-untrust-trustaction permit

8. 配置NAT策略

FW1nat-policy

FW1-policy-natrule name trust-untrust

FW1-policy-nat-rule-trust-untrustsource-zone trust

FW1-policy-nat-rule-trust-untrustdestination-zone untrust

FW1-policy-nat-rule-trust-untrustsource-address 192.168.1.0 0.0.0.255

FW1-policy-nat-rule-trust-untrustaction source-nat easy-ip

FW2nat-policy

FW2-policy-natrule name trust-untrust

FW2-policy-nat-rule-trust-untrustsource-zone trust

FW2-policy-nat-rule-trust-untrustdestination-zone untrust

FW2-policy-nat-rule-trust-untrustsource-address 192.168.2.0 0.0.0.255

FW2-policy-nat-rule-trust-untrustaction source-nat easy-ip

验证:

1.pc2ping 通pc1

2. 查看FW2防火墙会话表(看GRE协议的数据包走向)

3. 查看NAT地址转换(pc2ping100.1.1.1时,查看防火墙会话表,可以看到私网地址转换成200.1.1.2后访问100.1.1.1)

4. 抓FW2G1/0/1端口的包查看(GRE的端口是47)

相关推荐
不吃土豆的马铃薯23 分钟前
Socket 网络编程实战教程
linux·服务器·开发语言·网络·c++·算法
Agent手记28 分钟前
医药代表拜访计划能否通过AI自动生成优化?2026Agent自动化实战解析
运维·人工智能·ai·自动化
爱莉希雅&&&44 分钟前
Zabbix监控初步搭建
linux·运维·数据库·mysql·zabbix
林熙蕾LXL1 小时前
传输层-UDP介绍
网络·网络协议·udp
JackSparrow4141 小时前
使用Ansible批量管理+更新产品环境服务器配置
运维·服务器·ci/cd·kubernetes·自动化·ansible·sre
川石课堂软件测试1 小时前
使用mock进行接口测试教程
数据库·python·功能测试·测试工具·华为·单元测试·appium
Goway_Hui1 小时前
【鸿蒙原生应用开发--ArkUI--003】TodoApp - 待办事项应用教程
华为·harmonyos
想你依然心痛1 小时前
HarmonyOS 6(API 23)智能体驱动的沉浸式AR航天器装配工坊
华为·ar·harmonyos·智能体
大明者省1 小时前
windows server2019服务器部署图文版
运维·服务器
不羁的木木1 小时前
HarmonyOS文件基础服务(Core File Kit)实战演练05-实战:文件管理工具开发
华为·harmonyos
热门推荐
01GitHub 镜像站点02【AI】2026 年具身智能模型和世界模型总结03DeepSeek V4 + Claude Code thinking mode 400 错误修复方案04【踩坑记录 | 第一篇】微软商店无法使用时,如何手动安装 OpenAI Codex?附`.msix`文件系统错误解决方法05Codex 接入 DeepSeek API 完整配置文档06裂开!ChatGPT 居然开始要手机号验证,附详细解决方法07CC-Switch & Claude 基于 Linux 服务器安装使用指南08几个好用的ip纯净度检测网站09CC-Switch 全平台下载、安装与使用全指南(Windows/macOS/Linux)10API Key 登录 Codex 也能用插件了,还支持会话删除和导出